IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 64, NO. 12, DECEMBER 2019 4907

Stealthy Adversaries Against UncertainCyber-Physical Systems: Threat of Robust

Zero-Dynamics AttackGyunghoon Park , Chanhwa Lee , Hyungbo Shim , Senior Member, IEEE,

Yongsoon Eun , Member, IEEE, and Karl H. Johansson , Fellow, IEEE

Abstract—In this paper, we address the problem of con-structing a robust stealthy attack that compromises uncer-tain cyber-physical systems having unstable zeros. We firstinterpret the (non-robust) conventional zero-dynamics at-tack based on Byrnes–Isidori normal form, and then presenta new robust zero-dynamics attack for uncertain plants. Dif-ferent from the conventional strategy, our key idea is toisolate the real zero-dynamics from the plant’s input–outputrelation and to replace it with an auxiliary nominal zero-dynamics. As a result, this alternative attack does not re-quire the exact model knowledge anymore. The price to payfor the robustness is to utilize the input and output signalsof the system (i.e., disclosure resources). It is shown thata disturbance observer can be employed to realize the newattack philosophy when there is a lack of model knowledge.Simulation results with a hydro-turbine power system arepresented to verify the attack performance and robustness.

Index Terms—Disturbance observer, robustness, secu-rity, uncertain system, zero-dynamics attack.

Manuscript received May 3, 2018; revised December 2, 2018; ac-cepted February 3, 2019. Date of publication March 7, 2019; date ofcurrent version December 3, 2019. This work was supported in partby Institute for Information & Communications Technology Promotion(IITP) grant funded by the Korea government (MSIT) (2014-0-00065,Resilient Cyber-Physical Systems Research), and in part by NationalResearch Foundation of Korea (NRF) grant funded by the Korea govern-ment (Ministry of Science and ICT) (No. NRF-2017R1E1A1A03070342).K. H. Johansson was partially supported by the Knut and Alice Wal-lenberg Foundation, the Swedish Strategic Research Foundation, andthe Swedish Research Council. Recommended by Associate Editor Z.Wang. This paper was presented in part at the material in this paperwas partially presented at the 55th IEEE Conference on Decision andControl, Las Vegas, USA, December 2016 [1]. (Corresponding author:Hyungbo Shim.)

G. Park is with the Center for Intelligent and Interactive Robotics, KoreaInstitute of Science and Technology, Seoul 136-791, Korea (e-mail:,gyunghoon.p@gmail.com).

C. Lee is with the Research & Development Division, HyundaiMotor Company, Gyeonggi-do 18280, Korea (e-mail:, chanhwa.lee@gmail.com).

H. Shim is with the ASRI, Department of Electrical and ComputerEngineering, Seoul National University, Seoul 08826, Korea (e-mail:,hshim@snu.ac.kr).

Y. Eun is with the Department of Information & Communication En-gineering, Daegu Gyeongbuk Institute of Science & Technology, Daegu47988, Korea (e-mail:,yeun@dgist.ac.kr).

K. H. Johansson is with the ACCESS Linnaeus Centre, School of Elec-trical Engineering, KTH Royal Institute of Technology, 144 28 Stockholm,Sweden (e-mail:,kallej@kth.se).

Color versions of one or more of the figures in this paper are availableonline at http://ieeexplore.ieee.org.

Digital Object Identifier 10.1109/TAC.2019.2903429

I. INTRODUCTION

MODERN control systems often have complex structuresintegrating physical plants and digital devices, which are

linked through communication networks. These cyber-physicalsystems (CPS) offer great opportunities to achieve high cost effi-ciency and productivity over traditional control systems [2]–[4].

Yet at the same time, CPS are vulnerable to malicious at-tackers, as nowadays the data networks are easier to access byanonymous users. Serious cyber threats to CPS already havetaken place in recent years, such as the attacks on the U.S. elec-tric grid [5] and the Stuxnet malware [6]. In this context, it isnot surprising that security of the CPS has attracted widespreadattention with emerging resilient control and secure estimationschemes [7]–[12].

With the increased interest, a variety of cyber attack sce-narios have been studied from a control-theoretic perspective;e.g., denial-of-service (DoS) attack, replay attack [13], zero-dynamics attack [7], [8], [14], bias injection attack [7], opti-mal linear attack [15], switching location attack [16], multi-ratesampling attack [17], to name just a few. Among various pur-poses of these attacks, stealthiness is of utter importance tomost adversaries: i.e., when an attack signal enters CPS, its im-pact should not be detected by any anomaly detector. In viewof the adversary, one approach for achieving stealthiness is toemploy structural information of the plant in the attack design.For instance, zero-dynamics attack is known as a model-basedattack strategy that remains stealthy [7], [8], [14]. In this attackscenario, the adversary duplicates exactly the real unstable zero-dynamics of non-minimum phase plants. As a result, the attacksignal conceals itself in the so-called output-nulling space, evenif a large amount of false data are injected into the plant [7],[14].

Model-based attacks may easily lose their stealthiness whenthe model knowledge is not perfect. Indeed, even small mis-match between the real and estimated models leaves the zero-dynamics attack detectable [14]. This fundamental limitation ofmodel-based attacks has led to recent developments of attackprevention strategies, such as structural modification schemes[14], [18]. Furthermore, exact model knowledge is not obtain-able in many industrial problems, which is another hurdle to theattacker. If so, are CPS be safe from these lethal stealthy attacksthanks to model uncertainty?

0018-9286 © 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications standards/publications/rights/index.html for more information.

4908 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 64, NO. 12, DECEMBER 2019

Fig. 1. Cyber-physical attack space [10] with model knowledge, dis-ruption, and disclosure resources: The robust zero-dynamics attack is atentirely new location.

Interestingly, we find in this paper that it may not be the casewhen the attacker employs robust control techniques in their at-tack designs. Specifically, we address the problem of construct-ing a robust zero-dynamics attack that is stealthy for uncertainnon-minimum phase plants. Moving away from the traditionalmethods, our key idea is: 1) to eliminate the effect of modeluncertainty and the real zero-dynamics from the input–outputrelation in the plant’s dynamics, and 2) to build up an auxil-iary nominal zero-dynamics which replaces the role of the realcounterpart. Then the actual zero-dynamics is left alone whilebeing unstable, and thus its state trajectory will diverge withoutbeing detected. This new philosophy is realized by regarding theterms to be eliminated as a so-called lumped disturbance, andby designing a robust controller that estimates and compensatesthe lumped disturbance. Actually, all this can be done by dis-turbance observer [19], [20], which will play the role of attackgenerator in this work. It is worth mentioning that the price topay for less model knowledge is the necessity of the controlinput and the plant’s output information; in other words, theproposed robust zero-dynamics attack requires more disclosureresources [10], as depicted in Fig. 1.

Notation: For column vectors a and b, we write [a; b] forcol(a, b) = [a�, b�]�. For two sets A and B, the distance be-tween the sets is defined as dist(A,B) := infa∈A,b∈B ‖a− b‖.In addition, A is said to be strictly larger than B if A ⊃ B anddist(∂A, ∂B) > 0 where ∂A indicates the boundary of A. Fora square matrixM , Λ(M) indicates the set of the eigenvalues ofM . The zero vector is denoted by 0k ∈ Rk , while 0k×m ∈ Rk×m

and Ik ∈ Rk×k indicate the zero and identity matrices, respec-tively. For simplicity, we often write them without the subscriptsif their dimensions are obvious.

II. NORMAL FORM-BASED INTERPRETATION OF

ZERO-DYNAMICS ATTACK

Zero-dynamics attack is a systematic methodology to com-promise a class of CPS whose physical plants are of non-minimum phase [7], [9], [14], including a variety of mod-ern control systems such as power generating systems [22],

autopilots for unmanned automated vehicles [23], water levelcontrol systems [24], [25], to name just a few. The basic conceptof the attack is that the attack generator produces a signal basedon the unstable zero-dynamics of the physical plant and injectsits diverging output into the actuator channel. This consequentlyleads to two important features: 1) the actual (zero-dynamics)state diverges as time elapses, and 2) the plant’s state remainsclose to the output-nulling space so that the corresponding out-put is almost zero. By the latter property, the zero-dynamicsattack has been known as a stealthy attack.

In this section, we re-interpret the zero-dynamics attack. Inparticular, while the geometric control theory [7] usually hasbeen employed as a tool for the analysis in the literature, wehere present another way to analyze the attack, based on theByrnes–Isidori normal form [21, Ch. 13]. This new approachwill allow us to gain further insight on the attack, especially onits fundamental limitation against model uncertainty.

A. System Description

Consider a linear single-input single-output (SISO) plant un-der an actuator attack, especially represented in the Byrnes–Isidori normal form1

z = Sz +Gy, (1a)

x = Aν x+ Bν

(ψ�z + φ�x+ g(u+ a)

), (1b)

y = Cν x

where z ∈ Rμ and x ∈ Rn−μ are the states with the relativedegree ν := n− μ ≥ 1, y ∈ R is the output,u ∈ R is the controlinput, and a ∈ R is the attack signal that enters the actuatorchannel. For an integer i ≥ 1, the matrices Ai , Bi , and Ci aregiven by

Ai :=

[0i−1 Ii−1

0 0�i−1

]

, Bi :=

[0i−1

1

]

, Ci :=[1 0�i−1

].

The matrices S, G, ψ, and φ, and the scalar g are with suitabledimensions. Without loss of generality, it is supposed that (1)is controllable and observable, and the high-frequency gain g ispositive.

For now, it is assumed that at least one of the eigenvaluesof S lies in the open right half-plane (so that the plant (1)is of non-minimum phase). Then without loss of generality,the z-dynamics (1a) can be rewritten (by applying a suitablecoordinate change for z) as

[zu

zs

]

=

[Su 0

0 Ss

][zu

zs

]

+

[Gu

Gs

]

y (2)

where Su ∈ Rμu×μu and Ss ∈ Rμs×μs are square matrices withμu ≥ 1 and μs := μ− μu, such that all the eigenvalues of Su

andSs are located in the open right half-plane and the closed left

1Any (strictly proper) SISO linear system can be transformed into the Byrnes–Isidori normal form [21, Ch. 13]. In this form, the zeros of the transfer functionof the SISO linear system coincide with the eigenvalues of S . For this reason,z = Sz is called the zero-dynamics.

PARK et al.: STEALTHY ADVERSARIES AGAINST UNCERTAIN CYBER-PHYSICAL SYSTEMS: THREAT OF ROBUST ZERO-DYNAMICS ATTACK 4909

half-plane, respectively. The matrices Gu and Gs are constantand satisfy G = [Gu;Gs].

The control input u in (1) is supposed to be generated by anoutput feedback controller

c = Pc+Q(r − y), u = Jc+K(r − y). (3)

Here c ∈ Rm is the controller state, and r ∈ R is the referencesignal, which is bounded and sufficiently smooth with boundedtime derivatives, andP ,Q,J , andK are some constant matrices.We assume that without the attack (i.e., a(t) ≡ 0), the closed-loop system (1) and (3) is stable. Note that we are not assumingthe plant (1) is stable.

As introduced in the previous works [7], [14], the zero-dynamics attack is usually constructed by duplicating the zero-dynamics of the plant (1). In particular, with the help of thenormal form representation, one can express the attack as

za = Sza, aza = −1gψ�za (4)

where za =: [zau ; za

s ] ∈ Rμu+μs is the attacker’s state. (In whatfollows, the superscript “a” is used to indicate signals generatedby the adversary.) To activate the unstable mode of the za-dynamics (4), the initial condition za

u(t0) of the unstable partis selected as a nonzero vector. (Hereinafter, we denote themoment when the attack a(t) enters the system as t = t0 .)

B. Performance of Zero-Dynamics Attack

We start the analysis of the attack (4) with a new variableχ := [x; c] ∈ Rν+m . Then the actual stable closed-loop system(1) and (3) can be rewritten in a more compact form

z = Sz +GCχ, (5a)

y = Cχ, χ = Aχ+ Er +B(ga+ ψ�z

)(5b)

where the matrices A, B, C, and E are given by

A :=

[Aν + Bν

(φ� − gKCν

)gBν J

−QCν P

]

, (6a)

B :=

[Bν

0m

]

, E :=

[gBνK

Q

]

, C :=[

Cν 0�m]. (6b)

For comparison, by putting a(t) ≡ 0 into (5) we obtain an(auxiliary) attack-free closed-loop system

zo = Szo +GCχo, (7a)

yo = Cχo, χo = Aχo + Er +Bψ�zo (7b)

where χo =: [xo; co] is the attack-free counterpart of χ.Now, the nature of the zero-dynamics attack (4) is introduced

in the following proposition.Proposition 1: The solution [za(t); z(t);χ(t)] of the closed-

loop system (5) under the attack a = aza in (4), initiated inRμ × Rμ × Rν+m , satisfies the following statements:

a) For any za(t0) ∈ Rμ such that zau(t0) �= 0,

‖zu(t)‖ → ∞ as t→ ∞; (8)

b) For the solution [zo;χo] of the attack-free system (7)initiated at [zo(t0);χo(t0)] = [z(t0);χ(t0)],∥∥χ(t) − χo(t)

∥∥ ≤ k1e

−λ1 (t−t0 )‖za(t0)‖, ∀t ≥ t0

where k1 > 0 and λ1 > 0 are constant. �Proposition 1 explicitly points out that the zero-dynamics at-

tack (4) is capable of damaging the internal state zu(t) of theplant. We also note that just a small non-zero initial condition‖za

u(t0)‖ of the attack generator (4) will do the job, while main-taining stealthiness in the sense that

‖y(t) − yo(t)‖ = ‖Cχ(t) − Cχo(t)‖ < ε, ∀t ≥ t0 (9)

with a given threshold ε > 0.Proof: Let us define an error variable z := z − za. It is triv-

ial that ga+ ψ�z = ψ�z. It then follows that the closed-loopsystem (5) is transformed into

˙z = z − za = S(z − za) +GCχ = Sz +GCχ, (10a)

χ = Aχ+ Er +Bψ�z (10b)

which has exactly the same (stable) dynamics as the attack-freeone (7). Thus for some positive constants k1 and λ1 ,

∥∥[z(t);χ(t)] − [zo(t);χo(t)]

∥∥

≤ k1e−λ1 (t−t0 )

∥∥[z(t0);χ(t0)] − [zo(t0);χo(t0)]

∥∥

= k1e−λ1 (t−t0 )‖za(t0)‖

where the last equality results from z(t0) = zo(t0) and χ(t0) =χo(t0). This directly implies the item (b). On the other hand,the attacker’s state za(t) generated by (4) with nonzero za

u(t0)must diverge as time goes on. It means that z(t) = za(t) + z(t)also diverges, because the state z(t) of the stable system (10)remains bounded. This completes the proof. �

Remark 1: From the analysis, it is clear that the lower-orderdynamics za

u = Suzau and aza = −(1/g)ψ�

u zau (where ψu is a

suitable partition of ψ) is enough to realize the zero-dynamicsattack. �

C. Limitation of Zero-Dynamics Attack Against ModelUncertainty

It is important to note that exact model knowledge on the plant(1) is of necessity in the design of the zero-dynamics attack(4). However, such a requirement is quite unrealistic. This isbecause in most industrial systems, it is not always possiblefor the attacker (nor for the defender) to obtain the exact plantmodel. In other words, it is natural to assume that the physicalplant (1) has model uncertainty.

Assumption 1: The parameters S,G, ψ, φ, and g of the plant(1) are uncertain, while the uncertain quantities are bounded andtheir bounds are known to the attacker.2 In particular, 0 < g ≤g ≤ g for some constants g and g. �

We assume that the controller (3) is appropriately designed torobustly stabilize the uncertain plant satisfying Assumption 1.

2The attacker need not know exact bounds of uncertainties. Overestimatewould work.

4910 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 64, NO. 12, DECEMBER 2019

From now on, we take a glance at the situation when theattacker tries to design a zero-dynamics attack, in the presence ofthe model uncertainty in Assumption 1. Since the ideal structure(4) is not available at this stage, a possible alternative would be

za = Snza, aza = − 1

gnψ�

n za (11)

where Sn,ψn, and gn > 0 are selected as some nominal counter-parts of S, ψ, and g, respectively. Then, the attack signal aza(t)is exponentially diverging with rate determined by the unstablemodes of Sn. If these modes are different from the zeros of (5)(i.e., the eigenvalues of S), then the output y(t) should divergewith the same exponential rate as those modes. In fact, evenarbitrarily small differences will lead to a diverging output withfixed rate.

From the discussion so far, it may seem that CPS are safefrom those stealthy attacks because model uncertainty exists inpractice. Unfortunately, we find in the next section that there isanother type of stealthy attack which is robust against modeluncertainty.

Remark 2: When the system (1) has a non-trivial transferfunction and is controllable but unobservable, then the unob-servable eigenvalues are the transmission zeros. If those zerosare unstable, then almost all signals a(·) can drive the unob-servable states unbounded. An example is when φ = 0 and Sis not Hurwitz in (1). This attack does not require the modelknowledge, but we exclude these cases by assuming both con-trollability and observability because such systems cannot bestabilized by feedback. �

III. ROBUST ZERO-DYNAMICS ATTACK FOR UNCERTAIN

CYBER-PHYSICAL SYSTEMS

A. Problem Formulation

In what follows, we consider the closed-loop system (1) and(3) (or equivalently, (5)) where the plant (1) of interest hasparametric uncertainty as in Assumption 1. Also, we supposethat the initial conditions z(t0) and χ(t0) of the closed-loopsystem (5) belong to some compact sets Z0 ⊂ Rμ and X0 ⊂Rν+m , respectively.

The following (attack-free) nominal plant of (1) is taken intoaccount:

zn = Snzn +Gnyn,

xn = Aν xn + Bν

(ψ�

n zn + φ�n xn + gnun),

yn = Cν xn (12)

where zn ∈ Rμ and xn ∈ Rν are the nominal states, yn ∈ R isthe nominal output, and un ∈ R is the nominal input, which isgenerated by the existing control law (3) as

cn = Pcn +Q(r − yn), un = Jcn +K(r − yn) (13)

where cn represents the nominal state of the controller. Theparameters Sn,Gn, ψn, φn, and gn > 0 are nominal counterpartsof the actual (uncertain) S,G, ψ, φ, and g > 0, respectively, andthese are the attacker’s selection. The nominal model (12) is ofcourse different from the real plant (1), but it is assumed that

the parameters of (12) are within the uncertainty bounds ofAssumption 1, so that both (1) and (12) have the same relativedegree and the same sign of high-frequency gains g and gn. It willbe seen that the plant (1) behaves like the nominal model (12)by the initiation of the proposed attack. In this context, it may bebetter for stealthiness if the nominal model (12) coincides witha design model used for designing the controller (3) (which,however, requires that the design model is leaked to the attackera priori). For brevity, we often express the nominal closed-loopsystem (12) and (13) with χn := [xn; cn] as

zn = Snzn +GnCχn, (14a)

yn = Cχn, χn = Anχn + Enr +Bψ�n zn (14b)

where An and En are the same as A and E defined in (6), withS, G, ψ, φ, and g being replaced by their nominal counterparts.

We note in advance that similar to (7), the nominal closed-loop system (14) (or equivalently (12) and (13)) will play therole of a reference system in the attack design. For this, thenominal closed-loop system (14) is supposed to be stable; i.e.,the matrix

[Sn GnC

Bψ�n An

]

(15)

is Hurwitz.Now, motivated by Proposition 1, we formulate the problem

of our interest with respect to the uncertain plant.Problem Statement: For given zu > 0 and ε > 0, construct

a robust attack generator

qa = Φ(qa, u, y), a = Ψ(qa, u, y) (16)

that achieves the following properties simultaneously for alladmissible model uncertainties in Assumption 1:

a) ‖zu(t)‖ becomes eventually larger than zu > 0 within afinite time t = tfin ≥ t0 ;

b) ‖y(t) − yn(t)‖ is smaller than the threshold ε > 0 untilthe attack succeeds (i.e., for all t0 ≤ t ≤ tfin). �

The items in Problem Statement can be interpreted as somerefinements of those in Proposition 1. On one hand, item (a)indicates the capability of the attack (16) to damage the plant’sinternal state z(t). Here, zu is one of the attacker’s design spec-ifications. On the other hand, a new notion of stealthiness isintroduced in item (b). Indeed, the actual output y(t) under at-tack is compared with the output yn(t) of the nominal system(14), rather than with yo(t) of the (attack-free) uncertain system(5) as in Proposition 1. At first glance, it may seem that item(b) easily fails if the model uncertainty is large. However, thisis often not the case even for large model uncertainty, as long asthe existing controller (3) is robust against the parametric uncer-tainties of Assumption 1. In fact, when a tracking or regulatingproblem is (robustly) solved by (3) for both actual and nominalsystems (with no attack), their outputs yn(t) and yo(t) reachthe same reference r(t) in the end. It means that yn(t) ≈ yo(t)during the steady-state operation of the system when the attackis usually initiated. In summary, we claim in this paper that thenew stealthiness is also valid if the uncertainty is not large or ifthe attack (16) enters the system in the steady state.

PARK et al.: STEALTHY ADVERSARIES AGAINST UNCERTAIN CYBER-PHYSICAL SYSTEMS: THREAT OF ROBUST ZERO-DYNAMICS ATTACK 4911

Remark 3: The stealthiness defined in Problem Statementis basically approximate in the sense that tfin �= ∞ and ε �= 0.Nonetheless, this approximation is enough for the attackers toremain undetected in practice, as long as: 1) the threshold ε isof the order of measurement noise, and 2) the attack detectoris designed based on the corrupted output measurement y(t);e.g., the observer-based fault detector in [26] consisting of aLuenberger observer

[˙z˙x

]

= An

[z

x

]

+ Bnu− Ln

(

Cn

[z

x

]

− y

)

(17a)

for the (attack-free) nominal model (12) of (1), and a residualsignal

rn(t) = Cn

[z(t)x(t)

]− y(t) (17b)

to be monitored, in which

An :=

[Sn GnCν

Bν ψ�n Aν + Bν φ

�n

]

,

Bn := [0ν ; gnBν ], Cn := [0�n−ν ,Cν ], and Ln is the observer gainmatrix satisfying that An − LnCn is Hurwitz. Indeed, underthe item (b) of Problem Statement, one can readily rewrite theattacked output y(t) as y(t) = yn(t) + w(t) where w(t) is a(noise-like) signal such that ‖w(t)‖ < ε for all t0 ≤ t ≤ tfin. Inthat case, with the output feedback-based detectors like (17), it ishardly possible to distinguish the effect of the attack from that ofthe actual noise (at least until the attack succeeds) [26]. Similarconclusion can be made with the conventional zero-dynamicsattack in Section II, which satisfies (9). �

We further remark that, different from traditional zero-dynamics attack (4), the attack generator (16) explicitly makesuse of the signals u and y. This is in fact the price to pay forthe robustness against model uncertainty; i.e., instead of usingless model knowledge, the attacker relies more on the input andoutput information of the plant to adjust to uncertain environ-ment on-line. In short, more disclosure resources are needed asfollows.

Assumption 2: The plant output y(t) and the control inputu(t) are available to attackers. �

In addition, for a technical reason, we restrict our atten-tion on the non-minimum phase systems with hyperbolic zero-dynamics.

Assumption 3: At least one of the eigenvalues of S lies in theopen right half-plane, and none of the eigenvalues are locatedon the imaginary axis of the complex plane. �

To distinguish (16) from the (non-robust) zero-dynamics at-tack (4), we call (16) a robust zero-dynamics attack. Overallconfigurations of these attack scenarios are depicted in Fig. 2.

B. A New Attack Policy on Unstable Zero-Dynamics

As an intermediate step, in this subsection we provide a newattack strategy on the non-minimum phase plant (1). It is notedin advance that the method to be provided here is not realizableyet, but we will shortly make it feasible in the next section.

Fig. 2. Configurations of two different attack scenarios: The zero-dynamics attack (4) requires the exact model knowledge, while the ro-bust zero-dynamics attack (16) instead utilizes the disclosure resources(i.e., u and y). (a) Conventional zero-dynamics attack (4). (b) Robustzero-dynamics attack (16).

The first task is, using the information of the output y, toduplicate the nominal zn-dynamics (18) as the form

zan = Snz

an +Gny (18)

where zan(t0) is chosen in Z0 . With the auxiliary state za

n and thenominal components ψn, φn, and gn, one can rewrite the timederivative of xν in (1b) as

xν = ψ�z + φ�x+ g(u+ a) (19a)

= ψ�n z

an + φ�n x+ gnu+ g(a− a�) (19b)

where a� ∈ R is defined as

a� :=1g

(− ψ�z + ψ�n z

an + (φ�n − φ�)x+ (gn − g)u

). (20)

Then the actual closed-loop system (5) (i.e., (1)–(3)) with theauxiliary dynamics (18) can be equivalently represented using(20) by

z = Sz +GCχ (same as (2)), (21a)

zan = Snz

an +GnCχ, (21b)

χ = Anχ+ Enr +B(g(a− a�) + ψ�

n zan

), (21c)

y = Cχ. (21d)

For now, we suppose that a� is available to the attacker, fromwhich the attack signal a is constructed as

a(t) = a�(t), ∀t ≥ t0 . (22)

It should be emphasized that under the attack a = a� , the(za

n , χ)-dynamics (21b)–(21d) is exactly the same as the nom-inal closed-loop system (14) where the auxiliary za

n-dynamicsdisguises as the plant’s internal dynamics. At the same time,the attack a = a� in (22) leaves the real (unstable) z-dynamics(21a) decoupled from (21b)–(21d) so that the real internal state

4912 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 64, NO. 12, DECEMBER 2019

z(t) possibly diverges. The discussion so far is summarized inthe following proposition.

Proposition 2: The solution [z(t); zan(t);χ(t)] of the closed-

loop system (5) under the attack (18), (20), and (22), initiatedin Z0 ×Z0 ×X0 , satisfies the following statements:

a) For almost every [z(t0); zan(t0);χ(t0)],3

‖zu(t)‖ → ∞ as t→ ∞; (23)

b) For the solution [zn;χn] of the nominal system (14) initi-ated at [zn(t0);χn(t0)] = [za

n(t0);χ(t0)],[za

n(t);χ(t)]

=[zn(t);χn(t)

], ∀t ≥ t0 .

Moreover, [zs(t); zan(t);χ(t)] ∈ Zs ×Zn ×X for all t ≥ t0

where Zs ⊂ Rμs , Zn ⊂ Rμ , and X ⊂ Rν+m are some compactsets. �

Proof: The item (b) is trivial and omitted. From (b), the laststatement also follows straightforwardly since r(t) is uniformlybounded. Now, for (a), let us define some matrices

As :=

⎡

⎢⎣

Ss 0 GsC

0 Sn GnC

0 Bψ�n An

⎤

⎥⎦, C :=

[0�μs

0�μ C],

B :=

⎡

⎢⎣

0μs

0μB

⎤

⎥⎦, Es :=

⎡

⎢⎣

0μs

0μEn

⎤

⎥⎦. (24)

Notice that As is Hurwitz. By this, one obtains the unique solu-tion T ∈ Rμu×(μs+μ+ν+m ) of the Sylvester equation

TAs − SuT +GuC = 0. (25)

With these symbols and the coordination transformations

ζs := [zs; zan ;χ] and ζu := zu + Tζs, (26)

we newly represent the overall system (21) as

zu = Suzu +GuCζs (27)

ζs = Asζs +Esr +Bg(a− a�). (28)

Differentiating ζu along with these two dynamics gives

ζu = zu + T ζs

=(Suzu +GuCζs

)+ T

(Asζs + Esr +Bg(a− a�)

)

= Suζu + TEsr + TBg(a− a�). (29)

It is then clear that under a(t) ≡ a�(t), the above ζu- andζs-dynamics become

ζs = Asζs + Esr, and ζu = Suζu + TEsr, (30)

respectively, so that both are decoupled from each other. Amongthem, the ζu-dynamics is anti-stable (i.e.,Su is anti-Hurwitz) and

3Throughout this paper, the statement “a property is satisfied for almostevery υ (in U ⊂ Rn )” should be interpreted as “a property is satisfied for everyυ ∈ U ⊂ Rn except those in a subset U� of Rn whose (Lebesgue) measure iszero.” Note that any set U� ⊂ Rn whose dimension is smaller than n has themeasure zero.

the external signal r(t) is bounded. Then, almost all trajectoriesζu(t) diverge as time goes on: more precisely, the divergenceof ζu(t) occurs for all admissible initial condition ζu(t0) exceptonly one point

ζu(t0) = −∫ ∞

t0

e−Su(v−t0 )TEsr(v)dv =: ζ�u,0 (31)

(which is well-defined because −Su is Hurwitz). This excep-tional initial condition generates the bounded solution of (29)

ζ�u (t) = −∫ ∞

t

e−Su(v−t)TEsr(v)dv, ∀t ≥ t0 . (32)

(The readers are referred to [29], [30] for more details on thebounded solution ζ�u (t) for anti-stable system.)

Once ζu(t) diverges as time goes on, zu(t) = ζu(t) − Tζs(t)also does because ζs(t) is bounded. Finally, one can summarizethe above arguments that (23) holds if [z(t0); za

n(t0);χ(t0)] ∈(Z0 ×Z0 ×X0) \ L�za,0 with the set

L�za,0 :={[z(t0); za

n(t0);χ(t0)]

:

zu(t0) + T[zs(t0); za

n(t0);χ(t0)]

= ζ�u,0

},

which concludes the proof. �Remark 4: Item (a) of Proposition 2 highlights that unlike

the conventional attack (4), the present one (22) might fail todamage the internal state zu(t) for the specific initial conditions[z(t0); za

n(t0);χ(t0)] ∈ L�za,0 , defined in the proof above. Worseyet, it is rarely possible to compute L�za,0 a priori, since ζ�u,0is determined by the future information of the external inputr(t) (so ζ�u (t) is non-causal). Nonetheless, this may not be abig problem to the adversary. Indeed, the Lebesgue measure ofL�za,0 is zero, which means that this unwanted scenario hardlyoccurs. �

Remark 5: The effect of the attack (20) at time t0 is to re-place the uncertain parameters and the state z in (19a) with thenominal ones and the state za

n as in (19b). As a result, it is likereplacing the zero-dynamics (21a) with (21b) at time t0 . In or-der to make this abrupt change as invisible as possible from theoutput response, it would be better to have za

n(t0) ≈ z(t0). Thisis possible in some situations: 1) the overall system is already inthe steady state (i.e., y(t) ≈ r(t)) before the attack is injectedso that the value of z is easily guessed (at least approximately);or 2) the model uncertainty is not too large to run a state ob-server before the initiation of the attack using the informationof y and u. If the attacker is not able to set za

n(t0) close toz(t0), then a control action of (3) may cause a transient fromt = t0 . More discussion can be found in Section IV with somesimulations. �

Even though the new attack policy (22) seems to resolve theconsidered problem directly (as in Proposition 2), there is stilla huge gap between (22) and the desired attack generator (16).This is because a� used in (22) is composed of uncertain pa-rameters and unmeasured states and thus it is not obtainablein general. Yet, surprisingly, we observe that the consideredsituation is analogous to one in robust control theory. Indeed,a�(t) represents the discrepancy between the actual and nominal

PARK et al.: STEALTHY ADVERSARIES AGAINST UNCERTAIN CYBER-PHYSICAL SYSTEMS: THREAT OF ROBUST ZERO-DYNAMICS ATTACK 4913

plants, which has been known in the literature under the nameof lumped disturbance (or total disturbance) [19], [27]. Fromthis viewpoint, the problem of our interest can be converted intohow to design a robust controller that estimates and compen-sates the lumped disturbance a� . Motivated by this, in the nextsection we will construct a disturbance observer [19], [20] asthe robust attack generator (16). We note in advance that thedisturbance observer to be presented will estimate and compen-sate the lumped disturbance a�(t) (approximately but) quicklyand accurately enough, from which the ideal attack policy (22)will be recovered in a practical sense.

C. Design of Robust Zero-Dynamics Attack Based onDisturbance Observer Technique

For the design of the attack generator (16), we first com-pute some bounds for the state variables of the overall system.Take compact sets Zn ⊂ Rμ and X ⊂ Rν that are strictly largerthan the bounded sets Zn and X in Proposition 2. Without lossof generality, these sets are selected large enough to satisfydist(∂Zn, ∂Zn) > ε and dist(∂X , ∂X ) > ε (where ε is givenin Problem Statement). We also choose a compact set Zs ⊃ Zs

such that the state trajectory zs(t) of (1a) belongs to Zs for allinitial condition z(t0) ∈ Z0 and for all χ(t) ∈ X . In addition,select a positive constant zu to be larger than the attack speci-fication zu in Problem Statement. It will be shown shortly thatthe state variable remains bounded as

‖zu(t)‖ ≤ zu and[zs(t); za

n(t);χ(t)] ∈ Zs × Zn × X (33)

until the attack (16) succeeds (in the sense of item (a) in ProblemStatement).

With these bounds, we consider the set

A :={a� in (20) :

[zu; zs; za

n ;χ]

is bounded as (33)}

which contains all possible values of a� of (20) with respectto the model uncertainty, the (bounded) state variables, andthe values of r(t). The set A is clearly bounded under theassumptions. Since computing the exact A can be a difficulttask, we instead choose any compact set A strictly larger thanA, which is enough for the design of the attack generator.

On top of that, some components to be used in the disturbanceobserver design are introduced below. First, let us choose asaturation function s : R → R that is of C1 and bounded, andsatisfies4

s(a) = a, ∀a ∈ A and 0 ≤ ∂s

∂a(a) ≤ 1, ∀a ∈ R. (34)

Also, define a diagonal matrix Γ(τ) := diag(τ, τ 2 , . . . , τ ν ) ∈Rν×ν which is invertible for any positive constant τ . (Here, τis a design parameter to be determined in Theorem 1.) Next,choose bi , i = 0, . . . , ν − 1, such that the transfer function

W (s) :=sν + bν−1s

ν−1 + · · · + b1s+ (g/gn)b0sν + bν−1sν−1 + · · · + b1s+ (g/gn)b0

(35)

4In other words, s is any smooth bounded function whose slope is limited byone and which is identity on A.

is strictly positive real where g and g are the bounds of g inAssumption 1.

Remark 6: Such coefficients bi can always be obtained inthe following two steps. First, simply select b1 , . . . , bν−1 suchthat sν−1 + bν−1s

ν−2 + · · · + b1 is Hurwitz. After that, choosesufficiently small b0 > 0 such that the Nyquist plot of

G1(s) =b0

sν + bν−1sν−1 + · · · + b1s

does not encircle the disk in the complex plane whose diameteris the real line segment between −gn/g and −gn/g. For moredetails, see [20]. �

Finally, following the design methodology of [28], we pro-pose the robust zero-dynamics attack (16) as the za

n-dynamics(18) and

pa =(Aν − Γ−1βCν

)pa +

b0τν

Bν

(u+ arza +

1gnψ�

n zan

)

+b0τν

1gn

(φn + Γ−1β

)y, (36a)

arza = s

(Cν p

a − b0τν

1gny

)(36b)

where pa ∈ Rν and zan ∈ Rμ are the states of the attack gen-

erator, φn := [φn,ν ; · · · ;φn,1 ] ∈ Rν and β := [bν−1 ; · · · ; b0 ] ∈Rν . It is noted that the output arza ∈ R will serve as an estimateof a� . We take pa(t0) in a compact set P0 ⊂ Rν while za

n(t0)belongs to Z0 . (While P0 can be any compact set, for example,P0 = {0} would work, it is preferred to have za

n(t0) ≈ z(t0) asdiscussed in Remark 5.)

The following theorem describes our main result that theproposed attack (18) and (36) recovers the attack performanceof the ideal attack policy (22) in a practical sense, while beingrobustly stealthy against model uncertainty.

Theorem 1: Suppose that Assumptions 1–3 hold. Then forgiven zu > 0 and ε > 0, there exists τ > 0 such that the solution[z(t); za

n(t);χ(t); pa(t)] of the closed-loop system (5) under therobust zero-dynamics attack a = arza in (18) and (36) with τ ∈(0, τ), initiated in Z0 ×Z0 ×X0 × P0 , satisfies the followingstatements:

a) For almost every [z(t0); zan(t0);χ(t0); pa(t0)], there ex-

ists tfin ≥ t0 such that

‖zu(tfin)‖ > zu; (37)

b) For the solution [zn;χn] of the nominal system (14) initi-ated at [zn(t0);χn(t0)] = [za

n(t0);χ(t0)],∥∥[za

n(t);χ(t)]− [zn(t);χn(t)]

∥∥ < ε (38)

for t0 ≤ t ≤ tfin. �

D. Proof of Theorem 1

The rest of this section is devoted to the proof of Theorem 1,which is outlined as follows. In Lemma 1, we first introducea coordinate change for the attacker’s state pa, denoted by η,which serves as an error variable between arza and a� in asense. After that, Lemma 2 carries out the stability analysisof the η-dynamics, by which it is seen that the attack signal

4914 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 64, NO. 12, DECEMBER 2019

arza(t) quickly converges to and remains close to a�(t) as longas ‖zu(t)‖ ≤ zu and τ is chosen sufficiently small. Then theremainder of the proof is motivated by Proposition 2 in whicha(t) is set as the ideal attack a�(t) (i.e., a(t) ≡ a�(t)). Based onthe Lyapunov argument, it is shown that after the convergenceof arza(t), the actual state [za

n(t);χ(t)] behaves similar to thenominal one [zn(t);χn(t)] until the attacker succeeds (and thusthe attack remains stealthy for a while). Finally, we observe thatthe remaining state zu(t) of the plant eventually encounters theset {zu : ‖zu‖ = zu} with a larger threshold zu > zu, for almostevery initial condition of the overall system.

To this end, we represent the attacked closed-loop system intothe singular perturbation form [21].

Lemma 1: With the coordinate changes (26) and

η1 = pa1 −

b0τν

1gny − a� , (39a)

ηi = τ i−1(pa

1(i−1) − b0

τν1gny(i−1)

), i = 2, . . . , ν, (39b)

the overall system (5), (18), (36), and a = arza is transformedinto the standard singular perturbation form:

(28), (29), and

τ η =(Aν − Bν β

�)η + b0Bν

(g − gn

gn

)a− τ

[a�

0ν−1

](40)

where β := [b0 ; · · · ; bν−1 ] ∈ Rν and

a := −arza + a� = −s(Cνη + a�)

+ a� . (41)

�The proof of Lemma 1 is found in the Appendix.With τ regarded as a perturbation parameter, from now on we

call η the fast variable, while the other states the slow variables.The following lemma indicates that as long as the slow variablesremain in the region of interest, the fast variable η approachesthe boundary layer η = 0 during transient period.

Lemma 2: Suppose that [z(t); zan(t);χ(t)] is bounded as in

(33) for t ≥ t0 . Then η(t) satisfies

‖η(t)‖ ≤ k2e−λ2 ((t−t0 )/τ )‖η(t0)‖ + κ(τ),∀t ≥ t0 , (42)

for some positive constants k2 and λ2 , and a class-K functionκ : R → R. �

Proof: For convenience, define a (time-varying) nonlinearfunction

sg(v, t) :=g − gn

gn

[s(v + a�(t)) − a�(t)

].

Then, under the hypothesis of the lemma, sg(0, t) ≡ 0 and

g − gn

gn≤ ∂sg

∂v=g − gn

gn

∂s

∂v≤ g − gn

gn

by the construction of s. Thus, sg(v, t) belongs to the sector[(g − gn)/gn, (g − gn)/gn]. Now, in the frame of scaled timeσ := t/τ , the time derivative of η with respect to σ is computedby

dη

dσ=(Aν − Bν β

�)η − b0Bν sg(Cν η, t) − τ

[a�

0ν−1

](43)

in which t = τσ.

Regarding τ [a� ; 0ν−1 ] as a perturbation term that vanisheswhen τ = 0, we concentrate on the stability of the unperturbedη-dynamics (i.e., (43) with τ = 0), which has the form of aLur’e-type nonlinear system

dη

dσ=(Aν − Bν β

�)η + b0Bν u, y = Cν η (44)

and a nonlinearity u = −sg(y, t). It is noted that the transferfunction of the linear part (44) is computed by

Cν

(sIν − Aν + Bν β

�)b0Bν

=b0

sν + bν−1sν−1 + · · · + b0=: G2(s).

This implies that the transfer function

1 + ((g − gn)/gn)G2(s)1 + ((g − gn)/gn)G2(s)

is the same as W (s), and thus it is strictly positive real. Thecircle criterion [21, Th. 7.1] concludes that the origin of theunperturbed η-dynamics (44) is globally exponentially stable,for which a quadratic Lyapunov function Vf(η) exists.

Finally, one can easily obtain the lemma by differentiating theLyapunov function Vf along with the perturbed system (43) andby noting that a� is a Lipschitz function of the state variablesand the external inputs r and r. �

For further analysis, we define an error variable [zan ; χ] :=

[zan − zn;χ− χn] on the slow variables, whose time derivative

is given (from (14) and (21)) by[

˙zan

˙χ

]

=

[Sn GnC

Bψ�n An

][za

n

χ

]

−[

0

B

]

ga. (45)

We remark that (45) is a stable linear system with an addi-tional external signal a(t). In particular, one has a Lyapunovfunction Vs(za

n , χ) := [zan ; χ]�Ps[za

n ; χ] where Ps = P�s > 0

satisfies

Ps

[Sn GnC

Bψ�n An

]

+

[Sn GnC

Bψ�n An

]�Ps = −I.

By differentiating Vs along with (45), we readily have

Vs < −λ3Vs + k3‖a‖ (46)

where λ3 and k3 are some positive constants. We note thatthe initial value of Vs is zero, because the nominal trajectory[zn(t);χn(t)] of interest is initiated at the same point as the realone [za

n(t);χ(t)]. In addition, due to the saturation function s,a has a bounded value at t = t0 independent of η. From thesefacts, one can select ttr > t0 sufficiently small such that

Vs(za

n(t), χ(t))< (ε2/2)min(Λ(Ps)), ∀t0 ≤ t ≤ ttr. (47)

Then the inclusions in (33) are satisfied for t0 ≤ t ≤ ttr. Noticethat the inequality (38) in Theorem 1 naturally holds duringthe transient period t0 ≤ t ≤ ttr. Keeping this in mind, in whatfollows we focus on the reduced time period t ≥ ttr.

Firstly, we claim that if the slow variables are bounded asin (33) for t ≥ ttr, then the fast variable η(t) with small τ re-mains around the boundary layer η = 0 for that time period.

PARK et al.: STEALTHY ADVERSARIES AGAINST UNCERTAIN CYBER-PHYSICAL SYSTEMS: THREAT OF ROBUST ZERO-DYNAMICS ATTACK 4915

Indeed, it follows from (39) that η(t0) has the form of a poly-nomial of 1/τ whose coefficients are determined by the initialconditions of the state variables. In particular, with τ ∈ (0, 1)we have ‖η(t0)‖ ≤∑ν

j=0 hj/τj where positive constants hj ,

j = 0, . . . , ν, are independent of τ . Lemma 2 implies that

‖η(t)‖ ≤ k2e−λ2 ((t tr−t0 )/τ )

ν∑

j=0

hjτ j

+ κ(τ) =: κ(τ), ∀t ≥ ttr

(48)where κ : R>0 → R>0 is continuous on τ and satisfies κ(τ) →0 as τ → 0 (because ttr − t0 > 0). This concludes the claim.For further analysis, we particularly choose 0 < τ 1 < 1 suchthat for all 0 < τ < τ 1 , the function κ(τ) satisfies

κ(τ) ≤ min(δ, (λ3/k3)ε2min(Λ(Ps))

)(49)

where δ > 0 is a small constant such that

a� ∈ A and ‖η‖ < δ ⇒ s(a� + Cν η

)= a� + Cν η.

Note that such δ always exists, since the saturation level set Aof s is selected strictly larger than A.

Next, we argue that for each 0 < τ < τ 1 , the inequality (38)holds (and thus a�(t) belongs to A) until ‖zu(t)‖ ≤ zu is vio-lated. To see this, it should be noted that if (33) holds for t ≥ ttr,then it follows from (46), (48), and (49) that

Vs < −λ3(Vs − ε2min(Λ(Ps))

).

This implies that the set

V :={[za

n ; χ] : Vs(zan , χ) ≤ ε2min(Λ(Ps))

}

is positively invariant. The proof of the argument is completeby noting that the error variable [za

n(t); χ(t)] is located inside Vat t = ttr, and that

‖[zan ; χ]‖ < ε ⇒ [za

n ;χ] = [zn + zan ;χn + χ] ∈ Zn × X .

At last, we complete the proof of the theorem by showingthat with sufficiently small τ , there exists a finite time t = tfinsuch that the partial state zu(t) satisfies (37) for almost every[z(t0); za

n(t0);χ(t0); pa(t0)] in Z0 ×Z0 ×X0 × P0 . It is obvi-ous from the arguments so far that as long as ‖zu(t)‖ ≤ zu and0 < τ < τ 1 , the saturation function s is inactive for t ≥ ttr. Thenone has a = −Cν η and a� = H1η +H2 [ζu; ζs] +H3 [r; r] forsome constant matricesHi , i = 1, 2, 3. It follows that the overall(transformed) system (28), (29), and (40) turns out to be linear;in particular,

τ η =(Aν − Bν β

�g

+ τH1)η + τH2

[ζu

ζs

]

+ τH3

[r

r

]

(50)

where

βg

:= β +g − gn

gnb0Cν = [

(g/gn

)b0 ; b1 ; · · · ; bν−1 ] ∈ Rν .

For further analysis, let us consider the non-symmetric algebraicRiccati equation

[Es

0

]

+X

(Aν − Bν β

�g

+ τH1

)

− τ

[Su 0

0 As

]

X − τRH2X = 0. (51)

Here, since the matrix Aν − Bν β�g

is Hurwitz, it follows from[31, Sec. 2.2] that there exists 0 < τ ≤ τ 1 such that for fixed τ ∈(0, τ), the solution X = X(τ) of (51) is uniquely determinedand its norm is bounded. Using this, we now take τ ∈ (0, τ) anddefine a coordinate change

[ζu; ζs] := [ζu; ζs] + τXη

Then with X =: [Xu;Xs] ∈ Rμu×ν × R(μs+n+m )×ν , it is easyto see that for t ≥ ttr,⎡

⎣˙ζu

˙ζs

⎤

⎦ =

[Su 0

0 As

][ζu

ζs

]

+

[TEs

Es

]

r + τ

[XuH3

XsH3

][r

r

]

.

(52)

Observe that the above ζu-dynamics is an anti-stable linear sys-tem with the bounded external signal r. Thus similar to the caseof Proposition 2, one has

zu(t) = ζu(t) − Tζs(t) − τXuη(t)

diverges as time goes on, as long as

ζu(ttr) �= −∫ ∞

t tr

e−Su(v−t)(

TEsr(v) + τXuH3

[r(v)

r(v)

])

dv

=: ζ�u,tr.

To find out the exceptional case at the initial time t = t0 (ratherthan at t = ttr), let us consider the backward solution of the ζu-dynamics in (52). If the solution is initiated at ζu(ttr) = ζ�u,tr, the

corresponding value ζu(t0), denoted by ζ�u,0 , is uniquely deter-mined. Using this, we can summarize that zu(t) must diverge if[z(t0); za

n(t0);χ(t0); pa(t0)] is not located in a Lebesgue mea-sure zero set L�rza,0 on which ζu(t0) = ζ�u,0 holds.

IV. SIMULATION RESULTS: POWER GENERATING SYSTEMS

We consider the scenario when a malicious attack enters apower generating system with a hydro turbine [32], [22], asdepicted in Fig. 3. A state-space representation of the plant isgiven by

ξ1 = −(1/Tlm)ξ1 + (Klm/Tlm)(ξ2 − 2ξ3), (53a)

ξ2 = −(2/Th)ξ2 + (6/Th)ξ3 , (53b)

ξ3 = −(1/Tg)ξ3 + (1/Tg)(u+ a− (1/R)ξ1

), (53c)

whereu is the input, y = ξ1 is the output, and ξ := [ξ1 ; ξ2 ; ξ3 ] :=[Δf ;ΔP + 2ΔX;ΔX] is the state consisting of the frequencydeviation Δf (Hz), the change in generator output ΔP (p.u.),

4916 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 64, NO. 12, DECEMBER 2019

Fig. 3. Configuration of a power generating system with a hydro turbine[22].

and the change in governor valve position ΔX (p.u.). Theconstants Tlm, Th, and Tg indicate time constants of load andmachine, hydro turbine, and governor, respectively, and R(Hz/p.u.) is the speed regulation due to the governor action. Thedetailed parameters of the plants are given byKlm = 1, Tlm = 6,Tg = 0.2, and R = 0.05, while Th ∈ [4, 6] is uncertain [22]. Torobustly regulate the output of the uncertain plant, the controlinput u is generated by a (band-limited) PID-type controllerK(s) = (1.8124s2 − 18.8558s+ 0.1523)/(0.01s2 + s).

For the attack design, with a suitable coordinate change

x1 := ξ1 ,

x2 := −(1/Tlm)ξ1 + (Klm/Tlm)ξ2 − (2Klm/Tlm)ξ3 ,

z := ξ2 + (3Tlm/Th)(1/Klm)ξ1 ,

we transform (53) into the Byrnes–Isidori normal form (1) asfollows:5

z = Sz +Gy, (54a)

x1 = x2 , (54b)

x2 = ψ�z + φ�x+ g(u+ a) (54c)

where

φ1 = − 3TlmTh

− 3T 2

h− 1TlmTg

− 3TlmTh

+1R

2Klm

Tlm

1Tg,

φ2 = − 1Tlm

− 3Th

− 1Tg,

ψ =Klm

Tlm

1Th

+Klm

Tlm

1Tg, g = −2Klm

Tlm

1Tg,

S =1Th, G = − 3

Klm

1Th

− 3Tlm

Klm

1T 2

h.

Note that the resulting parameters φ, ψ,G, and S depend on Th,and thus, are all uncertain, and that S = 1/Th > 0 so that thepower generating system (53) is of non-minimum phase. It canalso be seen that Δf = x1 , ΔP is a linear function of x1 andx2 , and ΔX is a linear function of x1 , x2 , and z. Hence, withdiverging z(t), only ΔX(t) diverges when x1(t) and x2(t) arebounded. So, the goal of the adversary is set to enforce the valveposition ΔX to become larger than 1 (p.u.) eventually, while

5The detailed derivation of the normal form representation andthe simulation files can be found in http://hdl.handle.net/10371/139645and https://github.com/CDSL-GitHub/RobustZeroDynamicsAttack-Sim, re-spectively.

Fig. 4. Simulation results with the conventional zero-dynamics attack(11) when Th = 4 = Th,n (black dashed), Th = 5 (red dash-dotted), andTh = 6 (blue solid). (a) Frequency deviation Δf (Hz). (b) Change in valveposition ΔX (p.u.). (c) Conventional zero-dynamics attack aza (p.u.).

the frequency deviation Δf = y remains small as |Δf | ≤ 0.02(Hz). As a result, the attack leads to overuse of water in a forebayfor generating the same amount of power.

For comparison, we now construct two types of attack gener-ator without knowledge on the value of Th. One is the conven-tional zero-dynamics attack (11) with a nominal value Th,n = 4.The other is the proposed robust zero-dynamics attack (18)and (36) designed with the same Th,n, zu = 1.6, and a sat-uration function s(a) whose inactive region A is selected as{a : |a| ≤ 20 000}. Initial conditions are set za(t0) = 0.001 for(11), za

n(t0) = −0.001 for (18), and pa(t0) = [0; 0] for (36).Selection for za

n(t0) is motivated by the fact that, in the steadystate, the regulated output Δf = y = 0 so that the steady statevalues for ξ and z are zero. (The effect of small mismatch be-tween z(t0) and za

n(t0) will be observed as a small transient ofy(t) in the simulation result around t = t0 .)

Figs. 4 and 5 depict the simulation results of applying theconventional attack (11) and the proposed attacks (18) and (36)with τ = 0.001 to the uncertain plant (53) at the time instantt = t0 := 60 (sec). As shown in these figures, when there is nouncertainty, both attacks work as desired and successfully spoilsthe plant. However, the conventional scheme (4) immediatelyfails to be stealthy if it encounters the uncertain plant (Fig. 4),while the proposed attack (18) and (36) remains robust againstmodel uncertainty (Fig. 5). It is worth noting that ΔX with therobust zero-dynamics attack diverges at different paces depen-dent on the value of Th. Indeed, this results from the fact that thereal z-dynamics under the robust zero-dynamics attack is leftalone, so that the divergence of z(t) depends on the unstable

PARK et al.: STEALTHY ADVERSARIES AGAINST UNCERTAIN CYBER-PHYSICAL SYSTEMS: THREAT OF ROBUST ZERO-DYNAMICS ATTACK 4917

Fig. 5. Simulation results with the proposed robust zero-dynamics at-tack (18) and (36) when τ = 0.001, Th = 4 = Th,n (black dashed), Th = 5(red dash-dotted), and Th = 6 (blue solid). (a) Frequency deviation Δf(Hz). (b) Change in valve position ΔX (p.u.). (c) Robust zero-dynamicsattack arza (p.u.).

Fig. 6. Simulation results with the robust zero-dynamics attack (18) and(36) where Th = 6 and τ = 0.005 (green dash-dotted) and τ = 0.001(blue solid). (a) Frequency deviation Δf (Hz). (b) Change in valve posi-tion ΔXG (p.u.).

mode of its dynamics (i.e., S = 1/Th). We also note that un-like the conventional zero-dynamics attack, the proposed robustzero-dynamics attack experiences a transient peak and varies bymodel uncertainty, in order to adjust the unknown environmentby estimating and compensating a�(t) during a short transient(Figs. 4(c) and 5(c)).

On the other hand, Fig. 6 depicts the plant’s output y underthe robust zero-dynamics attacks with different τ . The figurepoints out that for success of the attack, it is necessary for theadversary to take sufficiently small τ .

Fig. 7. Noisy output measurement Δf + w under the robust zero-dynamics attack (18) and (36).

To investigate the presented attack further, we perform thesame simulation of Fig. 5 again, with Th = 6 and a noisy mea-surement y = C2x+ w. Here,w(t) is selected to have the maxi-mum magnitude as 2 × 10−3 (Hz) and have the uniform distribu-tion. The simulation result is depicted in Fig. 7, which indicatesthat the robust zero-dynamics attack still remains stealthy evenin the presence of measurement noise.

V. CONCLUDING REMARKS

We have shown in this paper that fatal attacks on CPS arepossible without exact system knowledge, particularly whenthe adversary employs robust control techniques. Specifically,we have presented a robust zero-dynamics attack that remainsstealthy under model uncertainty as well as enforces the internalstate of the plant to diverge.

All the results of this work indicate that more research iscalled for to prevent the lethal cyber attack on CPS. Since therobust zero-dynamics attack relies on the disclosure resources,a possible remedy for its prevention is to encrypt the controlsystem [33] so that the input and output signals cannot be ob-tained by the adversary. One might also employ watermarkingschemes [34] to detect the proposed attack.

While this paper deals with SISO systems for simplicity ofexplanation, extending the result of Theorem 1 to a larger classof multi-input multi-output (MIMO) plants is still possible. Forinstance, it is shown in [35] that the disturbance observer schemein [20], [28] can be applied to a class of square MIMO systemswith a well-defined vector relative degree. Thus by employingthe modified version of the disturbance observer in [35] as anattack generator in a form similar to (18) and (36), a robustzero-dynamics attack is carried out for MIMO linear systems.A similar result also would be expected for the nonlinear systemscases, which will be addressed in future work.

APPENDIX

A. Proof of Lemma 1

We start by differentiating η1 and ηi , i = 2, . . . , ν − 1, as

η1 = pa1(1) − b0

τν1gny(1) − a� =

1τη2 − a� (55)

and

ηi = τ i−1(pa

1(i) − b0

τν1gny(i))

=1τηi+1 , (56)

4918 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 64, NO. 12, DECEMBER 2019

respectively. On the other hand, the time derivative of ην is givenby

ην = τν−1(pa

1(ν ) − b0

τν1gny(ν )

). (57)

In order to compute pa1(ν ) in (57), from now on we show that

for i = 1, . . . , ν − 1,

pa1(i) = pa

i+1 −i∑

k=1

bν−kτk

(pa

1 −1gn

b0τνy

)(i−k)

+b0τν

1gn

i∑

k=1

φn,ν−k+1xi−k+1 . (58)

This is proved by induction. When i = 1, the equality (58)directly follows from (36a). Suppose that (58) is satisfied forall i = 1, . . . , j − 1 and 1 ≤ j ≤ ν − 1. Then

pa1(j ) = (pa

1(j−1))(1) = pa

j −j−1∑

k=1

bν−kτk

(pa

1 −b0τν

1gny

)(j−k)

+b0τν

1gn

j−1∑

k=1

φn,ν−k+1 x(j−1)−k+1 .

Noting that x(j−1)−k+1 = xj−k+1 for k = 1, . . . , j − 1, and

paj = pa

j+1 −bν−jτ j

pa1 +

b0τν

1gn

(φn,ν−j+1 +

bν−mτj

)y

= paj+1 −

bν−jτ j

(pa

1 −b0τν

1gn

)y +

b0τν

1gnφn,ν−j+1x1 ,

one can conclude that (58) holds when i = j.Now using (58) with i = ν − 1 and

paν = − b0

τν

(pa

1 −b0τν

1gny

)+b0τν

1gnφn,1x1

+b0τν

(u+ arza +

1gnψ�

n zan

), (59)

one has

pa1(ν ) = (pa

1(ν−1))(1) = pa

ν −ν−1∑

k=1

bν−kτk

(pa

1 −b0τν

1gny

)(ν−k)

+b0τν

1gn

ν−1∑

k=1

φn,ν−k+1 xν−k

= −ν∑

k=1

bν−kτk

(pa

1 −b0τν

1gny

)(ν−k)

+b0τν

1gn

ν∑

k=1

φn,ν−k+1xν−k+1 +b0τν

(u+ arza +

1gnψ�

n zan

).

(60)

It then follows from (39), (59), and (60) that

ην = −1τ

ν∑

k=1

bν−kην−k+1

+b0τ

[arza − a� +

1gn

(φ�n x+ ψ�n z

an) + u− 1

gnx

(ν )1

]

= −1τ

ν∑

k=1

bν−kην−k+1 +b0τ

[arza − a� − g

gn(arza − a�)

]

(61)

where the latter equality comes from x(ν )1 = xν = ψ�

n zan +

φ�n x+ gnuc + g(arza − a�) (since (19)) and yields the lemma.

ACKNOWLEDGMENT

The authors thank the anonymous reviewers and editor fortheir helpful suggestions on the manuscript.

REFERENCES

[1] G. Park, H. Shim, C. Lee, Y. Eun, and K. H. Johansson, “When adver-sary encounters uncertain cyber-physical systems: Robust zero-dynamicsattack with disclosure resources,” in Proc. 55th IEEE Conf. Dec. Control,Dec. 2016, pp. 5085–5090.

[2] E. A. Lee, “Cyber physical systems: Design challenges,” in Proc. 11thIEEE Symp. Object Oriented Real-Time Distrib. Comput., May 2008,pp. 363–369.

[3] R. Baheti and H. Gill, “Cyber-physical systems,” The Impact of ControlTechnology, pp. 161–166, 2011.

[4] J. Lee, B. Bagheri, and H.-A. Kao, “A cyber-physical systems architec-ture for industry 4.0-based manufacturing systems,” Manuf. Lett., vol. 3,pp. 18–23, 2015.

[5] S. Gorman, “Electricity grid in U.S. penetrated by spies,” Wall Street J.,2009.

[6] T. Rid, “Cyber war will not take place,” J. Strategic Stud., vol. 35., no. 1,pp. 5–32, 2012.

[7] A. Teixeira, I. Shames, H. Sandberg, and K. H. Johansson, “A securecontrol framework for resource-limited adversaries,” Automatica, vol. 51,pp. 135–148, 2015.

[8] F. Pasqualetti, F. Dorfler, and F. Bullo, “Attack detection and identificationin cyber-physical systems,” IEEE Trans. Autom. Control, vol. 58, no. 11,pp. 2715–2729, Nov. 2013.

[9] H. Fawzi, P. Tabuada, and S. Diggavi, “Secure estimation and control forcyber-physical systems under adversarial attacks,” IEEE Trans. Autom.Control, vol. 59, no. 6, pp. 1454–1467, Jun. 2014.

[10] A. Teixeira, K. C. Sou, H. Sandberg, and K. H. Johansson, “Secure controlsystems: A quantitative risk management approach,” IEEE Control Syst.,vol. 35, no. 1, pp. 24–45, Feb. 2015.

[11] C. Lee, H. Shim, and Y. Eun, “Secure and robust state estimationunder sensor attacks, measurement noises, and process disturbances:Observer-based combinatorial approach,” in Proc. 2015 Eur. ControlConf., Jul. 2015, pp. 1872–1877.

[12] Y. Shoukry, P. Nuzzo, A. Puggelli, A. L. Sangiovanni-Vincentelli, S.A. Seshia, and P. Tabuada, “Secure state estimation for cyber physicalsystems under sensor attacks: A satisfiability modulo theory approach,”IEEE Trans. Autom. Control, vol. 62, no. 10, pp. 4917–4932, Oct. 2017.

[13] Y. Mo, R. Chabukswar, and B. Sinopoli, “Detecting integrity attacks onSCADA systems,” IEEE Trans. Control Syst. Technol., vol. 22, no. 4,pp. 1396–1407, Jul. 2014.

[14] A. Teixeira, I. Shames, H. Sandberg, and K. H. Johansson, “Revealingstealthy attacks in control systems,” in Proc. 50th Ann. Allerton Conf.,Oct. 2012, pp. 1806–1813.

[15] Z. Guo, D. Shi, K. H. Johansson, and L. Shi, “Optimal linear cyber-attackon remote state estimation,” IEEE Trans. Control Netw. Syst., vol. 4, no. 1,pp. 4–13, Mar. 2017.

[16] C. Liu, J. Wu, C. Long, and Y. Wang, “Dynamic state recovery for cyber-physical systems under switching location attacks,” IEEE Trans. ControlNetw. Syst., vol. 4, no. 1, pp. 14–22, Mar. 2017.

PARK et al.: STEALTHY ADVERSARIES AGAINST UNCERTAIN CYBER-PHYSICAL SYSTEMS: THREAT OF ROBUST ZERO-DYNAMICS ATTACK 4919

[17] J. Kim, G. Park, H. Shim, and Y. Eun, “Zero-stealthy attack for sampled-data control systems: The case of faster actuation than sensing,” in Proc.55th IEEE Conf. Dec. Control, Dec. 2016, pp. 5956–5961.

[18] A. Hoehn and P. Zhang, “Detection of covert attacks and zero dynamicsattacks in cyber-physical systems,” in Proc. 2016 Amer. Control Conf.,Jul. 2016, pp. 302–307.

[19] H. Shim, G. Park, Y. Joo, J. Back, and N. H. Jo, “Yet another tutorialof disturbance observer: Robust stabilization and recovery of nominalperformance,” Control Theory Technol., vol. 14, no. 3, pp. 237–249, 2016,(special issue on disturbance rejection: a snapshot, a necessity, and abeginning).

[20] J. Back and H. Shim, “Adding robustness to nominal output-feedbackcontrollers for uncertain nonlinear systems: A nonlinear version of distur-bance observer,” Automatica, vol. 44, no. 10, pp. 2528–2537, 2008.

[21] H. K. Khalil, Nonlinear Systems, 3rd ed. Englewood Cliffs, NJ, USA:Prentice-Hall, 1996.

[22] T. Wen, “Unified tuning of PID load frequency controller for power sys-tems via IMC,” IEEE Trans. Power Syst., vol. 25, no. 1, pp. 341–350,Feb. 2010.

[23] I. Barkana, “Classical and simple adaptive control for nonminimum phaseautopilot design,” J. Guidance, Control, and Dynamics, vol. 28, no. 4,pp. 631–638, 2005.

[24] K. H. Johansson, “The quadruple-tank process: A multivariable laboratoryprocess with an adjustable zero,” IEEE Trans. Control Syst. Technol.,vol. 8, no. 3, pp. 456–465, May 2000.

[25] G. Park, C. Lee, and H. Shim, “On stealthiness of zero-dynamics attacksagainst uncertain nonlinear systems: A case study with quadruple-tankprocess,” in Proc. Int. Symp. Math. Theory Netw. Syst., 2018, pp. 10–17.

[26] I. Hwang, S. Kim, Y. Kim, and C. E. Seah, “A survey of fault detec-tion, isolation, and reconfiguration methods,” IEEE Trans. Control Syst.Technol., vol. 18, no. 3, pp. 636–653, May 2010.

[27] J. Han, “From PID to active disturbance rejection control,” IEEE Trans.Ind. Electron., vol. 56, no. 3, pp. 900–906, Mar. 2009.

[28] J. Back and H. Shim, “Reduced-order implementation of disturbance ob-servers for robust tracking of non-linear systems,” IET Control TheoryAppl., vol. 8, no. 17, pp. 1940–1948, 2014.

[29] L. R. Hunt, G. Meyer, and R. Su, “Noncausal inverses for linear systems,”IEEE Trans. Autom. Control, vol. 41, no. 4, pp. 608–611, Apr. 1996.

[30] Q. Jou and S. Devasia, “Preview-based stable inversion for output trackingof linear systems,” J. Dyn. Sys., Meas., Control, vol. 121, no. 4, pp. 625–630, 1999.

[31] P. Kokotovic, H. K. Khalil, and J. O’Reilly, Singular Perturbation Methodsin Control: Analysis and Design, SIAM, 1999.

[32] P. Kundur, Power System Stability and Control. New York, NY, USA:McGraw-Hill, 1994.

[33] J. Kim et al., “Encrypting controller using fully homomorphic encryp-tion for security of cyber-physical systems,” in Proc. 6th IFAC WorkshopDistrib. Estimation Control Netw. Syst., Sep. 2016, pp. 175–180.

[34] Y. Mo, S. Weerakkody, and B. Sinopoli, “Physical authentication of con-trol systems: Designing watermarked control inputs to detect counterfeitsensor outputs,” IEEE Control Syst., vol. 35, no. 1, pp. 93–1109, Feb. 2015.

[35] J. Back and H. Shim, “An inner-loop controller guaranteeing robust tran-sient performance for uncertain MIMO nonlinear systems,” IEEE Trans.Autom. Control, vol. 54, no. 7, pp. 1601–1607, Jul. 2009.

Gyunghoon Park received the B.S. degree inthe School of electrical and computer engineer-ing from the Sungkyunkwan University, Seoul,South Korea, in 2011, and M.S. and Ph.D. de-grees in the School of electrical engineering andcomputer science from the Seoul National Uni-versity, Seoul, South Korea, in 2013 and in 2018,respectively.From 2018 to 2019, he was a post-doctoral researcher in Automation and SystemResearch Institute, Seoul National University. Heis currently a postdoctoral researcher in Center

for Intelligent and Interactive Robotics, Korea Institute of Science andTechnology. His research interests include theory and application ofdisturbance observer, security of cyber-physical systems, analysis ofsampled-data system, and control of biped robots.

Chanhwa Lee received the B.S., M.S., andPh.D. degrees in electrical engineering fromSeoul National University, Seoul, Korea, in 2008,2010, and 2018, respectively.

From 2010 to 2012, he was an electrical en-gineer with Hyundai Engineering Company, Ko-rea. Since 2018, he has been with with HyundaiMotor Company, Korea, where he is currently asenior research engineer in Research & Devel-opment Division. His research interests includesecurity problems on cyber-physical systems,

estimator design for control systems, disturbance observer technique,automotive control systems, and vehicle platooning.

Hyungbo Shim (M’93–SM’14) received theB.S., M.S., and Ph.D. degrees from Seoul Na-tional University, Seoul, Korea, and held thepost-doc position at University of California,Santa Barbara, CA, USA, till 2001.

He joined Hanyang University, Seoul, Korea,in 2002. Since 2003, he has been with Seoul Na-tional University. He served as associate editorfor Automatica, IEEE Trans. on Automatic Con-trol, Int. Journal of Robust and Nonlinear Con-trol, and European Journal of Control, and as

editor for Int. Journal of Control, Automation, and Systems. He was theProgram Chair of ICCAS 2014 and Vice-program Chair of IFAC WorldCongress 2008. His research interest includes stability analysis of non-linear systems, observer design, disturbance observer technique, securecontrol systems, and synchronization.

Yongsoon Eun (M’03) received the B.A. degreein mathematics, and B.S. and M.S.E. degreesin control and instrumentation engineering fromSeoul National University, Seoul, Korea, in 1992,1994, and 1997, respectively, and Ph.D. degreein electrical engineering and computer sciencefrom the University of Michigan, Ann Arbor, MI,USA, in 2003.

From 2003 to 2012, he was a Research Sci-entist with the Xerox Innovation Group, Webster,NY, USA, where he worked on technologies in

the xerographic marking process and production inkjet printers. Since2012, he has been with DGIST, Korea, and currently is a Professor withthe Department of Information and Communication Engineering and Di-rector of DGIST Resilient Cyber-Physical Systems Research Center. Hisresearch interests include control systems with nonlinear sensors andactuators, control of quadrotors, communication network, industry 4.0production systems, and resilient cyber-physical systems.

Karl Henrik Johansson (F’13) received theM.Sc. and Ph.D. degrees from Lund University,Lund, Sweden.

He is currently Professor at the School ofElectrical Engineering and Computer Science,KTH Royal Institute of Technology, Stockholm,Sweden. He has held visiting positions at UCBerkeley, Caltech, NTU, HKUST Institute ofAdvanced Studies, and NTNU. His researchinterests are in networked control systems,cyber-physical systems, and applications in

transportation, energy, and automation.Dr. Johansson has served on the IEEE Control Systems Society Board

of Governors, the IFAC Executive Board, and the European Control As-sociation Council. He has received several best paper awards and otherdistinctions from IEEE and ACM. He has been awarded DistinguishedProfessor with the Swedish Research Council and Wallenberg Scholar.He has received the Future Research Leader Award from the SwedishFoundation for Strategic Research and the triennial Young Author Prizefrom IFAC. He is Fellow of the Royal Swedish Academy of EngineeringSciences, and he is IEEE Distinguished Lecturer.